SlideShare a Scribd company logo

security and compliance in the cloud

Ajay Rathi, profile picture
Ajay Rathi

The document discusses security and compliance challenges related to cloud adoption, including concerns around data security, regulatory compliance, and lack of visibility and control over cloud infrastructure. It analyzes predictions that cloud adoption will continue growing rapidly but security concerns will remain a hindrance. Recommendations are provided around conducting risk assessments, deciding what assets to move to the cloud based on sensitivity, and strategies for managing security, compliance, and service level agreements with cloud providers.

1 of 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Security and compliance in the cloud: A practical case study on risk management AJAY RATHI
IDC Prediction for 2012 • 80% of new commercial enterprise apps will be deployed on cloud platforms • AWS[will] exceed $1 billion in cloud services business in 2012 with Google’s Enterprise business to follow within 18 months • Expects a merger and acquisition (M&A) feeding frenzy.”
Gartner Prediction for 2012 • By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service • At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer- sensitive data in the public cloud • By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client
Forrester Prediction 2012 • Multi-cloud becomes the norm • Cloud commoditization is creeping up the stack • The Wild West of cloud procurement is over • The first cloud brokers will emerge • The lines between cloud and on-premises licensing models are blurring
Inhibition to Cloud Acceptance • Awareness • Security • Compliance • Inertia
Security: Responsible for Slowing Cloud Deployment Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs Malicious Insiders Shared Technology Data Loss or Leakage Unknown risk profile Consolidation, M&A, closures Cloud regulations and SLA
Security: Responsible for Slowing Cloud Deployment • Abuse & Nefarious Use of Cloud Computing – Weak registration process – Anonymity – Fraud detection capabilities. – Common storage Data – Neighbor’s identity, security profile or intentions. – Zeus Botnet command and control infrastructure
Security: Responsible for Slowing Cloud Deployment • Insecure Interfaces and APIs – Provisioning, management, orchestration, and monitoring use interfaces – Authentication and access control to encryption and activity monitoring – Anonymous access and/or reusable tokens or passwords – Clear-text authentication or transmission of content, – Inflexible access controls or improper authorizations,
Security: Responsible for Slowing Cloud Deployment • Malicious Insiders – Transparency in provider process and procedure – Access to physical and virtual assets – No visibility into the hiring standards. – Attractive opportunity for an adversary – The level of access granted
Security: Responsible for Slowing Cloud Deployment • Shared Technology Issues – Hypervisors flaws – Control on administrative access – Standard for recycle and Info creep – Workloads of different trust level – Disk partitions, CPU caches, not designed for strong compartmentalization
Security: Responsible for Slowing Cloud Deployment • Data Loss or Leakage – Insufficient authentication, authorization, and audit (AAA) controls; – Inconsistent use of encryption and software keys; – Persistence and reminisce challenges – Disposal challenges; – Data center reliability and DR
Security: Responsible for Slowing Cloud Deployment Unknown Risk Profile – Compliance of the internal security procedures – Configuration hardening – Patching, Auditing, Logging – Storage and access to logs – Security incidence handling
Security: Responsible for Slowing Cloud Deployment • Consolidation is concentration of risk. – Lehman/Titanic of cloud – Link failures/sabotage against a country • Closing down of cloud provider – ZumoDrive --- closing 01.06.2012 – Megaupload --- closed by FBI • Mergers and Acquisition – CenturyLink acquired Savvis for $2.5 billion. – Verizon acquired Terremark for $1.4 billion. – HP acquired Autonomy for $10.4 billion – SAP- Ariba , Oracle-virtue
Security: Responsible for Slowing Cloud Deployment • Regulations and SLA – SLA not robust enough for enterprise move – No international regulations – EU Privacy law – US Patriot law
How to be build cloud services Strategy Education Security Framework Assessment Managing SLA
security and compliance in the cloud
Deciding What, When and How to Move to the Cloud • Identify the Asset for the cloud deployment – Data – Applications/Functions/Process • Evaluate the Asset – Sensitivity and importance of the asset • Map the Asset to potential CDM – Public, private internal/external, community, hybrid • Evaluate potential CSM and providers – Degree of control at each SPI layer. – Risk management vis-à-vis regulatory controls.
Deciding What, When and How to Move to the Cloud • Sketch the potential data flow – Data flow between organization, cloud service and any other customer nodes – Identify risk exposure points. • Conclusion – Low value asset skip heavy controls – High Value assets look at on-site inspection, discoverability and complex encryption schemes. – High Value assets not subject to regulatory restriction- focus on technical's
security and compliance in the cloud
CSA Guidelines Cloud Architecture Governing the Cloud Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization
Governing the Cloud • Governance: Secure the cloud before procurement – contracts, SLAs, architecture • Governance: Know provider’s third parties, financial viability, employee vetting • Legal: Plan for provider termination & return of assets • Compliance: Identify data location when possible • ILM: Persistence, Protection • Portability & Interoperability: SOA “loose coupling” principles
Operating the Cloud • BCM/DR: Provider redundancy Vs your own • DC Ops: Provisioning, patching, logging • Encryption: Encrypt data when possible, segregate Key mgt from cloud provider • AppSec: Adapt secure software development lifecycle • Virtualization: Harden, rollback, port VM images • IdM: Federation & standards e.g. SAML, OpenID
security and compliance in the cloud
Cloud reference model Software as a service Security control on infrastructure, application and data Platform as service Infrastructure as a service Physical, environmental and virtualization security
security and compliance in the cloud
security and compliance in the cloud
Consensus Assessment Initiative • Research tools and processes to perform shared assessments of cloud providers • Integrated with Controls Matrix • CAI Questionnaire approx. 140 provider questions to identify presence of security controls or practices • Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs www.cloudsecurityalliance.org/cai.html
Managing SLA • Most SLAs are written to Protect Vendor • Augment CSP SLAs with your OWN SLA • Questions on Data protection • Questions on Cost. • Track cloud service usage
Questions on DATA • How is the data encrypted? • Level of account access control • Data storage location. • Use of Subcontractor • Data backup and restore • Security of Data center • Copies of data ( Termination/failure of vendor) • Archival copies of the data to the customer? • Legal Enquiry on the customer data • What types of auditing tools are available? • How are compliance needs addressed?
Questions on DATA • What is the fee structure? • Are there hidden costs? • Are there add on costs or fees for support? • Are charges based upon traffic, usage or storage limits? • Are there taxes or other external fees? • Is there any type of price protection? • Are there licensing fees above and beyond the service fees?
security and compliance in the cloud
Ajay Rathi Q&A ajay.rathi@gmail.com

More Related Content

PDF
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
PDF
Cloud Security - Made simple
Sameer Paradia
 
PPTX
Webinar compiled powerpoint
CloudPassage
 
PPTX
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
PDF
Mindtree distributed agile journey and guiding principles
Mindtree Ltd.
 
PDF
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Sherry Jones
 
PPT
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
PDF
Cloud Security
Hi-Tech College
 
Sukumar Nayak-Detailed-Cloud Risk Management and Audit
Sukumar Nayak
 
Cloud Security - Made simple
Sameer Paradia
 
Webinar compiled powerpoint
CloudPassage
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
Mindtree distributed agile journey and guiding principles
Mindtree Ltd.
 
NIST Cyber Security Framework: 4 Steps for CIOs - Deloitte CIO - WSJ
Sherry Jones
 
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
Cloud Security
Hi-Tech College
 

What's hot (20)

PPTX
Cloud Computing security Challenges for Defense Forces
commandersaini
 
PPTX
Cloud Computing Security
Nithin Raj
 
PPTX
Oracle security-formula
OracleIDM
 
PDF
Cloud Computing Risk Management (IIA Webinar)
Brian K. Dickard
 
PDF
A Study in Borderless Over Perimeter
ForgeRock
 
PDF
Cloud Security - Emerging Facets and Frontiers
Gokul Alex
 
PPTX
Cloud computing Risk management
Padma Jella
 
PPTX
Where to Store the Cloud Encryption Keys - InterOp 2012
Trend Micro
 
PDF
Cloud Security Governance
Shankar Subramaniyan
 
PPTX
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
PDF
Risk management for cloud computing hb final
Christophe Monnier
 
PDF
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CloudIDSummit
 
PDF
Risk based it auditing for non it auditors (basics of it auditing) final 12
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
PPTX
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
PDF
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
PPTX
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
ForgeRock
 
PPT
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
PPTX
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
PDF
Cloud Security Engineering - Tools and Techniques
Gokul Alex
 
PDF
110307 cloud security requirements gourley
GovCloud Network
 
Cloud Computing security Challenges for Defense Forces
commandersaini
 
Cloud Computing Security
Nithin Raj
 
Oracle security-formula
OracleIDM
 
Cloud Computing Risk Management (IIA Webinar)
Brian K. Dickard
 
A Study in Borderless Over Perimeter
ForgeRock
 
Cloud Security - Emerging Facets and Frontiers
Gokul Alex
 
Cloud computing Risk management
Padma Jella
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Trend Micro
 
Cloud Security Governance
Shankar Subramaniyan
 
45 Minutes to PCI Compliance in the Cloud
CloudPassage
 
Risk management for cloud computing hb final
Christophe Monnier
 
CIS 2015 Identity and Data Security : Breaking the Boundaries - Nathanael Cof...
CloudIDSummit
 
Risk based it auditing for non it auditors (basics of it auditing) final 12
Thilak Pathirage -Senior IT Gov and Risk Consultant
 
ZERO TRUST ARCHITECTURE - DIGITAL TRUST FRAMEWORK
Maganathin Veeraragaloo
 
IT Compliance and Governance with DLP Controls and Vulnerability Scanning Sof...
Skoda Minotti
 
IDENTITY IS THE FIRST STEP TO TRUE NETWORK SECURITY
ForgeRock
 
Infrastructure Security by Sivamurthy Hiremath
ClubHack
 
Vulnerability Testing Services Case Study
Nandita Nityanandam
 
Cloud Security Engineering - Tools and Techniques
Gokul Alex
 
110307 cloud security requirements gourley
GovCloud Network
 
Ad

Viewers also liked (6)

PDF
Kaakelikeskus Tuulettuvat Julkisivut
Inspecta
 
PPTX
The Financial And Productivity Benefits V1.1
Ajay Rathi
 
PPTX
An introduction to asset backed securities
Firminy Capital Sarl
 
PPT
Onko laatan koolla väliä?
Inspecta
 
PPT
Vinkkejä laatoituksiin
Inspecta
 
PPTX
Collateral Debt Obligation – A Perspective
Ajay Rathi
 
Kaakelikeskus Tuulettuvat Julkisivut
Inspecta
 
The Financial And Productivity Benefits V1.1
Ajay Rathi
 
An introduction to asset backed securities
Firminy Capital Sarl
 
Onko laatan koolla väliä?
Inspecta
 
Vinkkejä laatoituksiin
Inspecta
 
Collateral Debt Obligation – A Perspective
Ajay Rathi
 
Ad

Similar to security and compliance in the cloud (20)

PPTX
Enterprise Security in Cloud
Lenin Aboagye
 
PDF
Security in the cloud planning guide
Yury Chemerkin
 
PPTX
Transforming cloud security into an advantage
Moshe Ferber
 
PPTX
Cloud security Presentation
Ajay p
 
PDF
Presd1 10
Niels Groeneveld
 
PPTX
Isaca cloud security presentation duncan unwin 16 jul13
Duncan Unwin
 
PDF
Security & Compliance in the Cloud [2019]
Tudor Damian
 
PDF
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
 
PPTX
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
PPTX
Unc charlotte prezo2016
Sanjay R. Gupta
 
PPT
Lecture5
josephineusha
 
PDF
IBM Point of View: Security and Cloud Computing
IBM India Smarter Computing
 
PDF
IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM India Smarter Computing
 
PPTX
Moving Enterprise Applications to the Cloud
VISI
 
PPT
Lecture31.ppt
amanyosama21
 
PDF
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
PDF
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
ptaglephd
 
PPTX
cloudComputingSec_p3.pptx
Steven Quach
 
PDF
How Secure Is Cloud
William Lam
 
PDF
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Adnene Guabtni
 
Enterprise Security in Cloud
Lenin Aboagye
 
Security in the cloud planning guide
Yury Chemerkin
 
Transforming cloud security into an advantage
Moshe Ferber
 
Cloud security Presentation
Ajay p
 
Presd1 10
Niels Groeneveld
 
Isaca cloud security presentation duncan unwin 16 jul13
Duncan Unwin
 
Security & Compliance in the Cloud [2019]
Tudor Damian
 
Security Considerations When Using Cloud Infrastructure Services.pdf
Ciente
 
talk6securingcloudamarprusty-191030091632.pptx
TrongMinhHoang1
 
Unc charlotte prezo2016
Sanjay R. Gupta
 
Lecture5
josephineusha
 
IBM Point of View: Security and Cloud Computing
IBM India Smarter Computing
 
IBM Point of view -- Security and Cloud Computing (Tivoli)
IBM India Smarter Computing
 
Moving Enterprise Applications to the Cloud
VISI
 
Lecture31.ppt
amanyosama21
 
Peering Through the Cloud Forrester EMEA 2010
graywilliams
 
Info Sec 2010 Possibilities And Security Challenges Of Cloud Computing (Han...
ptaglephd
 
cloudComputingSec_p3.pptx
Steven Quach
 
How Secure Is Cloud
William Lam
 
Architecting Data Services for the Cloud: Security Considerations and Best Pr...
Adnene Guabtni
 

security and compliance in the cloud

  • 1. Security and compliance in the cloud: A practical case study on risk management AJAY RATHI
  • 2. IDC Prediction for 2012 • 80% of new commercial enterprise apps will be deployed on cloud platforms • AWS[will] exceed $1 billion in cloud services business in 2012 with Google’s Enterprise business to follow within 18 months • Expects a merger and acquisition (M&A) feeding frenzy.”
  • 3. Gartner Prediction for 2012 • By 2016, 40 percent of enterprises will make proof of independent security testing a precondition for using any type of cloud service • At year-end 2016, more than 50 percent of Global 1000 companies will have stored customer- sensitive data in the public cloud • By 2016, at least 50 percent of enterprise email users will rely primarily on a browser, tablet or mobile client instead of a desktop client
  • 4. Forrester Prediction 2012 • Multi-cloud becomes the norm • Cloud commoditization is creeping up the stack • The Wild West of cloud procurement is over • The first cloud brokers will emerge • The lines between cloud and on-premises licensing models are blurring
  • 5. Inhibition to Cloud Acceptance • Awareness • Security • Compliance • Inertia
  • 6. Security: Responsible for Slowing Cloud Deployment Abuse and Nefarious Use of Cloud Computing Insecure Interfaces and APIs Malicious Insiders Shared Technology Data Loss or Leakage Unknown risk profile Consolidation, M&A, closures Cloud regulations and SLA
  • 7. Security: Responsible for Slowing Cloud Deployment • Abuse & Nefarious Use of Cloud Computing – Weak registration process – Anonymity – Fraud detection capabilities. – Common storage Data – Neighbor’s identity, security profile or intentions. – Zeus Botnet command and control infrastructure
  • 8. Security: Responsible for Slowing Cloud Deployment • Insecure Interfaces and APIs – Provisioning, management, orchestration, and monitoring use interfaces – Authentication and access control to encryption and activity monitoring – Anonymous access and/or reusable tokens or passwords – Clear-text authentication or transmission of content, – Inflexible access controls or improper authorizations,
  • 9. Security: Responsible for Slowing Cloud Deployment • Malicious Insiders – Transparency in provider process and procedure – Access to physical and virtual assets – No visibility into the hiring standards. – Attractive opportunity for an adversary – The level of access granted
  • 10. Security: Responsible for Slowing Cloud Deployment • Shared Technology Issues – Hypervisors flaws – Control on administrative access – Standard for recycle and Info creep – Workloads of different trust level – Disk partitions, CPU caches, not designed for strong compartmentalization
  • 11. Security: Responsible for Slowing Cloud Deployment • Data Loss or Leakage – Insufficient authentication, authorization, and audit (AAA) controls; – Inconsistent use of encryption and software keys; – Persistence and reminisce challenges – Disposal challenges; – Data center reliability and DR
  • 12. Security: Responsible for Slowing Cloud Deployment Unknown Risk Profile – Compliance of the internal security procedures – Configuration hardening – Patching, Auditing, Logging – Storage and access to logs – Security incidence handling
  • 13. Security: Responsible for Slowing Cloud Deployment • Consolidation is concentration of risk. – Lehman/Titanic of cloud – Link failures/sabotage against a country • Closing down of cloud provider – ZumoDrive --- closing 01.06.2012 – Megaupload --- closed by FBI • Mergers and Acquisition – CenturyLink acquired Savvis for $2.5 billion. – Verizon acquired Terremark for $1.4 billion. – HP acquired Autonomy for $10.4 billion – SAP- Ariba , Oracle-virtue
  • 14. Security: Responsible for Slowing Cloud Deployment • Regulations and SLA – SLA not robust enough for enterprise move – No international regulations – EU Privacy law – US Patriot law
  • 15. How to be build cloud services Strategy Education Security Framework Assessment Managing SLA
  • 17. Deciding What, When and How to Move to the Cloud • Identify the Asset for the cloud deployment – Data – Applications/Functions/Process • Evaluate the Asset – Sensitivity and importance of the asset • Map the Asset to potential CDM – Public, private internal/external, community, hybrid • Evaluate potential CSM and providers – Degree of control at each SPI layer. – Risk management vis-à-vis regulatory controls.
  • 18. Deciding What, When and How to Move to the Cloud • Sketch the potential data flow – Data flow between organization, cloud service and any other customer nodes – Identify risk exposure points. • Conclusion – Low value asset skip heavy controls – High Value assets look at on-site inspection, discoverability and complex encryption schemes. – High Value assets not subject to regulatory restriction- focus on technical's
  • 20. CSA Guidelines Cloud Architecture Governing the Cloud Governance and Enterprise Risk Management Legal and Electronic Discovery Compliance and Audit Information Lifecycle Management Portability and Interoperability Security, Bus. Cont,, and Disaster Recovery Operating in the Cloud Data Center Operations Incident Response, Notification, Remediation Application Security Encryption and Key Management Identity and Access Management Virtualization
  • 21. Governing the Cloud • Governance: Secure the cloud before procurement – contracts, SLAs, architecture • Governance: Know provider’s third parties, financial viability, employee vetting • Legal: Plan for provider termination & return of assets • Compliance: Identify data location when possible • ILM: Persistence, Protection • Portability & Interoperability: SOA “loose coupling” principles
  • 22. Operating the Cloud • BCM/DR: Provider redundancy Vs your own • DC Ops: Provisioning, patching, logging • Encryption: Encrypt data when possible, segregate Key mgt from cloud provider • AppSec: Adapt secure software development lifecycle • Virtualization: Harden, rollback, port VM images • IdM: Federation & standards e.g. SAML, OpenID
  • 24. Cloud reference model Software as a service Security control on infrastructure, application and data Platform as service Infrastructure as a service Physical, environmental and virtualization security
  • 27. Consensus Assessment Initiative • Research tools and processes to perform shared assessments of cloud providers • Integrated with Controls Matrix • CAI Questionnaire approx. 140 provider questions to identify presence of security controls or practices • Use to assess cloud providers today, procurement negotiation, contract inclusion, quantify SLAs www.cloudsecurityalliance.org/cai.html
  • 28. Managing SLA • Most SLAs are written to Protect Vendor • Augment CSP SLAs with your OWN SLA • Questions on Data protection • Questions on Cost. • Track cloud service usage
  • 29. Questions on DATA • How is the data encrypted? • Level of account access control • Data storage location. • Use of Subcontractor • Data backup and restore • Security of Data center • Copies of data ( Termination/failure of vendor) • Archival copies of the data to the customer? • Legal Enquiry on the customer data • What types of auditing tools are available? • How are compliance needs addressed?
  • 30. Questions on DATA • What is the fee structure? • Are there hidden costs? • Are there add on costs or fees for support? • Are charges based upon traffic, usage or storage limits? • Are there taxes or other external fees? • Is there any type of price protection? • Are there licensing fees above and beyond the service fees?

Editor's Notes

  • #8: 1. completely unaware of a neighbor’s identity, security profile or intentions. The virtual machine running next to the consumer’s environment could be malicious, looking to attack the other hypervisor tenants or sniff communications moving throughout the system.2. Data sits on common storage hardware, it could become compromised through lax access management or malicious attack3. a security bulletin from Amazon Web Services reported that the Zeus Botnet was able to install and successfully run a command and control infrastructure in the cloud environment.Data is very mobile in VMs compared to traditional servers.Storage administrators can easily reassign or replicate users’ information across data centers to facilitate server maintenance, HA/DR or capacity planning.EU Privacy Act forbids data processing or storage of residents’ data within foreign data centersUS Patriot Act allows federal agencies to present vendors with subpoenas and seize data
  • #9: From authentication and access control to encryption and activity monitoring, these interfaces must be designed to protect against both accidental and malicious attempts to circumvent policy.
  • #10: provider may not reveal how it grants employees access to physical and virtual assets, how it monitors these employees, or how it analyzes and reports on policy compliance. To complicate matters, there is often little or no visibility into the hiring standards and practices for cloud employees. This kind of situation clearly creates an attractive opportunity for an adversary —ranging from the hobbyist hacker, to organized crime, to corporate espionage, or even nation-state sponsored intrusion. The level of access grantedcould enable such an adversary to harvest confidential data or gain complete control over the cloud services with little or no risk of detection
  • #11: Workloads of different trust levels are consolidated onto a single physical server without sufficient separationAdequate controls on administrative access to the Hypervisor/VMM layer and to administrative tools are lacking
  • #14: Elastra’s management servers handle provisioning and operation of the application, adding and removing servers as needed
  • #18: How would we be harmed if the asset become public and widely distributedIf an employee of our cloud provider accessed the assetIf the process or function were manipulated by an outsiderIf the pocess or function failed to provide expected resultsIf the information/data were unexpectedly changedIf the asset were unavailable for a period of time.